comment

hongchaodeng · hongchaodeng · commit 5a965bce19b9 · 2017-06-15T14:19:23.000-07:00
diff --git a/cmd/bootkube/render.go b/cmd/bootkube/render.go
@@ -99,6 +99,10 @@ func validateRenderOpts(cmd *cobra.Command, args []string) error {
 	if (renderOpts.etcdCAPath != "" || renderOpts.etcdCertificatePath != "" || renderOpts.etcdPrivateKeyPath != "") && (renderOpts.etcdCAPath == "" || renderOpts.etcdCertificatePath == "" || renderOpts.etcdPrivateKeyPath == "") {
 		return errors.New("You must specify either all or none of --etcd-ca-path, --etcd-certificate-path, and --etcd-private-key-path")
 	}
+	if renderOpts.etcdCertificatePath != "" && renderOpts.selfHostedEtcd {
+		return errors.New("Cannot specify --etcd-certificate-path with --experimental-self-hosted-etcd." +
+			" Self-hosted etcd + TLS will auto-generate certs based on root CA cert.")
+	}
 	if renderOpts.assetDir == "" {
 		return errors.New("Missing required flag: --asset-dir")
 	}
@@ -208,7 +212,7 @@ func flagsToAssetConfig() (c *asset.Config, err error) {
 		}
 	}
 
-	if etcdUseTLS && etcdCACert == nil {
+	if etcdUseTLS && etcdCACert == nil && !renderOpts.selfHostedEtcd {
 		bootkube.UserOutput("NOTE: --etcd-servers=%s but --etcd-ca-path, --etcd-certificate-path, and --etcd-private-key-path were not set. Bootkube will create etcd certificates under '%s/tls'. You must configure etcd to use these certificates before invoking 'bootkube run'.\n", renderOpts.etcdServers, renderOpts.assetDir)
 	}
 
diff --git a/pkg/asset/tls.go b/pkg/asset/tls.go
@@ -148,6 +148,10 @@ func newEtcdTLSAssets(etcdCACert, etcdClientCert *x509.Certificate, etcdClientKe
 	return assets, nil
 }
 
+// newSelfHostedEtcdTLSAssets automatically generates three suites of x509 certificates (CA, key, cert)
+// for self-hosted etcd related components. Two suites are used by etcd members' client and peer ports;
+// one is used via etcd client to talk to etcd by operator, apiserver.
+// Self-hosted etcd doesn't allow user to specify etcd certs.
 func newSelfHostedEtcdTLSAssets(etcdSvcIP, bootEtcdSvcIP string, caCert *x509.Certificate, caPrivKey *rsa.PrivateKey) (Assets, error) {
 	// TODO: This method uses tlsutil.NewSignedCertificate() which will create certs for both client and server auth.
 	//       We can limit on finer granularity.

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,10 @@ func validateRenderOpts(cmd *cobra.Command, args []string) error {`
`99`	`99`	`if (renderOpts.etcdCAPath != "" \|\| renderOpts.etcdCertificatePath != "" \|\| renderOpts.etcdPrivateKeyPath != "") && (renderOpts.etcdCAPath == "" \|\| renderOpts.etcdCertificatePath == "" \|\| renderOpts.etcdPrivateKeyPath == "") {`
`100`	`100`	`return errors.New("You must specify either all or none of --etcd-ca-path, --etcd-certificate-path, and --etcd-private-key-path")`
`101`	`101`	`}`
	`102`	`+ if renderOpts.etcdCertificatePath != "" && renderOpts.selfHostedEtcd {`
	`103`	`+ return errors.New("Cannot specify --etcd-certificate-path with --experimental-self-hosted-etcd." +`
	`104`	`+ " Self-hosted etcd + TLS will auto-generate certs based on root CA cert.")`
	`105`	`+ }`
`102`	`106`	`if renderOpts.assetDir == "" {`
`103`	`107`	`return errors.New("Missing required flag: --asset-dir")`
`104`	`108`	`}`
`@@ -208,7 +212,7 @@ func flagsToAssetConfig() (c *asset.Config, err error) {`
`208`	`212`	`}`
`209`	`213`	`}`
`210`	`214`
`211`		`- if etcdUseTLS && etcdCACert == nil {`
	`215`	`+ if etcdUseTLS && etcdCACert == nil && !renderOpts.selfHostedEtcd {`
`212`	`216`	`bootkube.UserOutput("NOTE: --etcd-servers=%s but --etcd-ca-path, --etcd-certificate-path, and --etcd-private-key-path were not set. Bootkube will create etcd certificates under '%s/tls'. You must configure etcd to use these certificates before invoking 'bootkube run'.\n", renderOpts.etcdServers, renderOpts.assetDir)`
`213`	`217`	`}`
`214`	`218`